December 21, 2007

BitDefender Finds Google AdWords Hijack Trojan

Seems there is a trojan out there that can replace Google AdWords with other ads, according to BitDefender. The bug is loaded when a person visits an infected website and the malware attaches itself to a user's computer.

Then when they surf a publishing site that displays AdWords the ads are replaced by similiar looking ones from other advertisers.

"The threat, which is identified by BitDefender as Trojan.Qhost.WU, modifies the infected computers' Hosts file (a local storage for domain name / IP address mappings, which is consulted before domain name servers and is considered authoritative).

The modified file contains a line redirecting the host "page2.googlesyndication.com" which should point to an IP of the form 6x.xxx.xxx.xxx to a different address, of the form 9x.xxx.xxx.xxx, so that the infected machines' browsers read ads from server at the replacement address rather than from Google," BitDefender noted.

Posted by Frank Watson at 11:22 AM | Permalink

November 29, 2007

Organic Results Showing Many Malware Sites, Google Expunges Thousands

Seems companies using malware are starting to get good placement in the organic SERPs (search engine result pages), according to numerous reports this week. The sites contain code that install intrusive software that creates automated popups and subvert browsers amongst other things.

Sunbelt Software CEO Alex Eckelberry told ComputerWorld he had come across "27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages."

Sunbelt offers security software including antispyware and antimalware.

One site "tried to install more than 25 separate pieces of malware, including numerous Trojan horses, a spam bot, a full-blown rootkit, and a pair of password stealers. All the malicious code pitched at users is well-known to security vendors, and can only exploit PCs that aren't up-to-date on their patches," ComputerWorld reported.

Google has expunged thousands of such pages since Monday when the problem was first reported, according to Sunbelt.

"Google did confirm yesterday with us that they were working the case, and they are good about nailing this stuff," Eckelberry told ComputerWorld.

Though ComputerWorld did say Google had not confirmed or denied any actions taken on their part.

If anyone is seeing any of these in any of the search engines please let us know here.

Posted by Frank Watson at 12:38 PM | Permalink

July 11, 2007

Masked Bandits Use Google To Crack Safe

Seems safe cracking is a profitable search term in Colorado. A group of masked bandits needed help from Google search to get away with over $12,000, according to The Register.

The unskilled thieves also used WD40 instead of paint to attempt to stop security cameras.

"All that did was clean off the lenses," Colorado Springs detective Chuck Ackerman said.

Posted by Frank Watson at 4:17 PM | Permalink

November 9, 2006

Google Sends Porn Worm To 50,000+ Subscribers

'Porn' worm sent to 50,000 after Google blunder from Silicon.com covers how Google accidentally sent a worm to the official Google Video Blog email list

The worm apparently, which came in the form of pornography sent to the group, which had over 50,000 subscribers at the time. The Kama Sutra email, also known as W32/Kapser.A worm, was "designed to overwrite files on infected computers on a specific date."

If you got this email and downloaded the file, it is important that you run antivirus software on your computer. Google promised to try to not do that again.

Postscript From Danny: Google has a post about it here, which gives them a chance to pitch getting free antivirus software through the Google Pack.

Posted by Barry Schwartz at 7:43 AM | Permalink

October 18, 2006

Another Odd Post To An Official Google Blog Raises Security Concerns

Does another odd post to one of Google official blogs mean Google losing it in terms of security? It spurred Michael Arrington to fire up a list over at TechCrunch of other security issues, a couple I wouldn't agree were breaches. But I can add to the list as well, and there's no doubt these type of things hurt Google when during its expansion, it needs all the goodwill and trust it can get.

Yesterday, Google Blogoscoped wrote about a strange post on Blogger Buzz, the official blog for Google's Blogger. It turned out to be a case of someone who writes for the Blogger Buzz accidentally posting something meant for her personal blog on Blogger to the official one.

I can completely sympathize with this. About two weeks ago, I posted something to the Search Engine Watch Blog that I meant for my personal blog Daggle. Both use Movable Type, on completely different systems. But I had browser windows open to both of them and just picked the wrong one.

Unfortunately, the mistaken post (which is still up on Blogger Buzz for me) comes about a week after the Official Google Blog was hacked with a fake post. Add that to some other things, and people might be getting worried.

That's certainly Michael Arrington view at TechCrunch. He writes:

The fact that unauthorized document access is a simple password guess or government “request” away already works against them. But the steady stream of minor security incidents we’ve seen (many very recently) can also hurt Google in the long run. Running applications for businesses is serious stuff, and Google needs to be diligent about security.

Another minor incident came up this evening - a Google employee intended to post on her personal blog and wrote on the official Google blog covering Blogger instead....

Google product teams work in cells, which allows them to quickly launch and iterate products. However, there could be a disadvantage to this as well with regard to security, as their does not seem to be one central policy or security group ensuring strict compliance across the entire company. Every security incident damages Google’s credibility and reputation. Microsoft has been dealing with security issues forever - Google may need to start fighting the same war.

The post includes eight examples of security incidents since 2004. Some I don't agree with, but others I do -- and there are more not on the list. I posted about these at TechCrunch, but my comments aren't showing yet (and possibly didn't go through properly). Here's what I wrote:

Goodness knows I'm not going to defend them on a lot of this stuff. The repeated problems with Blogger security are becoming absurd. Three strikes on their own blog? But Mike, some perspective is probably in order.

Accidentally released Platypus? Sounds like Philipp has a contact at Google that leaked it to him. I suppose that's a security issue, but it's not really a user security issue. Lumping it in there doesn't feel fair. And if you're going to do that, then any time someone from any company leaks you something, you should be reporting that as a security breach from that company.

Some of the other items are iffy on the user security side. They left stuff in a Writely doc, similar to how they left stuff in that analyst presentation a few months before. Sloppy, yes. Security breach, no. Worthy of concern? Yes, because sloppy there could mean sloppy elsewhere.

To add others to your list:

Overall, I agree with you. These incidents hurt Google's reputation and the trust users may have with them. What I can't tell is how they stack up in trust compared to someone like Microsoft. I suspect they're still well ahead there. But it's not "may need" to fight the war. They're in that war now, and every new app increases their exposure to exploits.

Posted by Danny Sullivan at 7:40 AM | Permalink

October 9, 2006

Official Google Blog Gets Hacked After Message On Security

The Official Google Blog was hacked over the weekend, happening embarrassingly after Google had just posted about how seriously it takes security. It's also follows a pseudo-hack earlier this year, when someone else took over the Google Blog when the company accidentally deleted it.

The hack was covered in various places. Google Blogoscoped has a good write-up on what was initially posted (and screenshot here), an anonymous message saying that Google's click-to-call project had been cancelled:

After concientiously considering, Google has decided not to continue with Google Click-to-call project. The project has been in the media on last days because of the notice of Google agreement with e-Bay. We finally consider click-to-call agreement with e-Bay a monopolistic aproach that would damage small companies in the CRM area.

It felt like a hack to many, certainly to me as well, and I posted the same to Google Blogoscoped:

Got to be a hack. Especially notice what's currently tops on the Google blog, a post all about how "Google takes security very seriously and designs all of its services and applications to protect your privacy and data security." This almost certainly is someone reading how "we keep the bad guys out of our systems" and thumbing Google's nose to show nope, they don't.

That post from the Google Blog about security says in full:

Most readers of this blog are familiar with our mission to organize the world's information and make it universally accessible and useful. Maintaining the trust of our users and ensuring a positive experience using our products and services is paramount to our ability to accomplish our mission. As a result, Google takes security very seriously and designs all of its services and applications to protect your privacy and data security. Behind the scenes of these efforts is the Google Security Team. We keep the bad guys out of our systems and have brought you features like the anti-phishing extension in Google Toolbar and warnings about Internet malware. As part of our commitment to security, we're putting up some additional help content to let users and security researchers know how to quickly contact us on these issues. We've learned that when security is done right, it's done as a community, and this includes everybody: the people who use Google services (thank you all!), the software developers who make our applications, and the external security enthusiasts who keep us on our toes. These combined efforts go a long way toward making the Internet safer and more secure. Please visit our new security page and feel free to contact us anytime at security@google.com.

The post is incredibly ironic given what's now posted at the top of the blog:

A bug in Blogger enabled an unauthorized user to make a fake post on the Google Blog last night, claiming that we've discontinued our AdWords click-to-call test. The bug was fixed quickly and the post removed. As for the click-to-call test, it is progressing on schedule, and we're pleased with the results thus far.

A bug, also known as a security problem. So much for that trust Google was hoping to maintain with its users. It also happens ironically after publicity about Google shifting attention to improving existing projects, rather than rolling out new ones.

Philipp Lenssen at Google Blogoscoped pointed out what a nice visual contrast the two posts make and posted a screenshot. I couldn't help doing the same:

In March, Google deleted its own blog accidentally, allowing someone else the ability to claim the old Google URL and keep the blog running for a short time outside of Google's control. Official Google Blog Deleted, Blogger Registers googleblog.blogspot.com has more about that.

Finally, the hacked post was published by someone calling themselves Maximal. I found a post from another Maximal on Google Groups asking for help recently with the Google Data API.

Hi, I am making tests with Google Data API to publish my posts. The problem is ... my posts are being published into "the Honourable Dr Mantombazana Tshabalala-Msimang South Africa's Minister of Health" blog (I don't have to say I am not the minister of health of South Africa).

Any help before Honourable Minister of Health of South Africa would speak with Interpol would be apreciated.

Perhaps related?

Posted by Danny Sullivan at 6:16 AM | Permalink

July 6, 2006

Google Fixes XSS Security Holes

A security vulnerability in Google, discovered and posted at ha.ckers.org was patched quickly by Google. Both Philipp Lenssen and JasonD posted about the XSS hole that enables hackers to deploy phishing scams, cookie stealing, and creation of worms. Matt Cutts of Google was quick to reply to the Threadwatch post stating that the hole has "either fixed or the fix is going out."

Posted by Barry Schwartz at 9:00 AM | Permalink

March 28, 2006

Official Google Blog Deleted, Blogger Registers googleblog.blogspot.com

Back in April 2004, Google launched their blog at googleblog.blogspot.com. But somehow, in the past few hours, that blog has been completely deleted from the Blogger servers, and users are instead seeing a "Not Found. The requested URL was not found on this server. Please visit the Blogger homepage or the Blogger Knowledge Base for further assistance."

When tempted with a vacant blogspot URL with a PR9, one blogger did what many are probably very envious of... register the googleblog.blogspot.com blog URL.

Now, those who have the official Google Blog on their RSS feeds, saw an entry pop up a few minutes ago with:

Google, fix your blog pleeasssee!

January 17, 2005

Security Issue With Google Accounts Cookie Said Fixed

Google says it has now fixed a security problem with its Google Accounts service, which provides a cookie-based way for people to log into various Google services.

Last Thursday, Google Blogoscope pointed to a forum discussion (and also here) that suggested Google's Froogle service in particular might inadvertently let people access Gmail accounts, because account information embedded in the Google cookie could be hijacked.

I emailed Google about this on Friday and received back the following statement:

Google was recently alerted to a potential security vulnerability affecting Froogle. We have since fixed this vulnerability, and all current and future Froogle users are protected.

Spotted via Organized Shopping, eWeek has a nice write-up in Google Plugs Cookie-Theft Data Leak on what happened, with quotes from Nir Goldshlager, a security research who spotted the hole. He also warns that anyone who had their cookie stolen would still be at risk.

Posted by Danny Sullivan at 9:45 AM | Permalink | TrackBack